Earlier it was CryptoLocker, today its WannaCry, god knows what it would be tomorrow. Gone are those days when there was a virus on your machine, you run the antivirus and fix the problem. In a worst case you would need to restore a corrupt file from the back up and continue with the work. Unfortunately, the latest wave of Ransomwares is far more advanced; so much so that the latest and greatest antivirus is not capable of even detecting it, let alone removing it.

What was awful, was that the computers attacked recently, were running built-in firewalls, were behind the network firewalls, and were operating in a rather controlled environment. So what exactly went wrong?

Here are the 10 things in my opinion, which are the takeaways from those who were impacted. These should be treated as guidelines, not just to implement cyber security tactically, but instead to have a very strategic approach and that too holistically in an organization.

So here is the list of 10 things we learnt

1. Any industry can be attacked:

   It was believed in the past, that computers, viruses are very much for the IT firms, but that's not true. Even manufacturing and healthcare industries were impacted, so everyone needs to wake up and take it seriously. Do not take your IT systems for granted.

2. Cyber security is an investment and not an expenditure:

   It is time for CxOs to realize that cyber security is an integral part of your yearly budgets and in the finance book the numbers should fall on the investment side and not otherwise. This is because it can be easily demonstrated that over the time there is a computable ROI (return on investment) for the money spent.

3. Perimeter firewalls need to properly configured:

An incorrectly configured front-ending firewall is as good/bad as a one not configured at all. Hire experts who know firewalls well, to perform a firewall config audit, and it means to your IT infrastructure being protected. Anomaly detection should be implemented for enterprises, a mere firewall many not be good enough, this is because the amount of internal and external attacks are very high. Consider a high end UTM device or firewall with anomaly detection features. Writing anomaly detection rules is an art though.

1. Patching is important. Firms today use great patch management tools:

However it had been observed that upon attack, a careful look at the tool dashboard shows that multiple patches were either not applied or were applied but workstations were not rebooted for the patches to take effect. In some case, it is imperative to manually check whether or not a patch was really applied. Relying on tools can be dangerous. Timely patching is very important and hence should be bound with strict procedures.

1. USB drives are notorious:

   Consider not enabling USB unless there is a reason to do so. Careful centralized implementation of technical policies to enable or disable USB drives helps a lot in the longer run. Ideally no exception should be made while disabling USB drives because a single machine with USB enabled can pretty much render the network vulnerable.

2. Shutdown unnecessary services:

   Typically there are many services running on workstations or servers which are not used. This not only takes CPU time but also opens up potential vulnerabilities. Being a very technical thing, talk to your system administrator or tech consultant to see which services could be turned off.

3. Data security is a role not a task:

   Create a team of champions who own the responsibility of organization's data security. A great legacy term from BS7799 days for this is "data protection officer". Designating a person brings more control on the situation and helps in prevention.

4. Training helps a lot:

   As we know, the machines are doing their tasks but its only human who can detect if something is going wrong with them. A sudden slow down or reboot tells us that its an abnormal behavior. Typically only system administrators are trained, but the training on malicious behavior of machines should be extended to the entire staff including senior management.

5. Compliance implementation is a must:

   Consider a framework such as ISO27001 which binds the technical infrastructure and the managing staff in a set of policies and procedures. It has helped organization tremendously in the past, to stay away from prying eyes of attackers.

6. Penetration testing (VAPT) is a must:

   Again reflecting it on point 2 above, usually a vulnerability assessment and penetration testing is looked at as an IT overhead or just an audit satisfying expenditure. This approach dims the focus which results into cyber attacks such as ransomware. A 3rd party assessment helps gain the real picture than the imagination and quicker you close the gaps, helps best in the longer run. Insist on manual penetration testing instead of tools, because tools cannot replace humans and attackers are real people.

   As a Summary --

We always need to be aware that ransomware attacks had been around and its time to wake up and do something about it strategically, instead of tactically.